• On TV.com: New TV sex symbol: Vintage black PORSCHE
March 31, 2009 5:53 PM PDT

Rid your computer of the Conficker virus

by Seth Rosenblatt
  • Font size
  • Print
  • 74 comments

Let's assume you're on the receiving end of the worst April Fool's Day joke of 2009: your computer's been infected with the Conficker virus. It's a frustrating but not insurmountable problem. This guide will walk you through how to cleanse your computer and inoculate against other Conficker variants.

First off, make sure that you are actually infected. There aren't many warning signs, but a few will stand out if you know what to look for. One fast way to check is to try to visit any major security software publisher's Web site. If you've cleared your browser cache beforehand, and you can load the sites of Symantec, Eset, Avira, or AVG, you're clean because Conficker blocks access to them.

Another good litmus test is to check on the status and functionality of Windows services such as Automatic Updates, the Background Intelligent Transfer Service, Windows Defender, and Error Reporting Services. If any of those have been disabled without your consent, or if your account lockout policies have changed without approval, you might be infected. Other warning signs include unusually high traffic on your local area network, and domain controllers responding slowly to client requests.

If you're running an up-to-date virus scanner, it's unlikely you'll get infected unless you've configured your computer to not receive automatic Windows updates. Checking your list of installed updates for security update MS08-067 (KB 958644) is not recommended because the worm, alternatively known as Kido, Downup, or Downadup, fakes the patch job.

Assuming you've got the virus, the next step is to download one of several free removal clients. The Conficker-specific tools are McAfee's Stinger, Eset's Win32/Conficker Worm Removal Tool, Symantec's W32.Downadup Removal Tool, and Sophos' Conficker Cleanup Tool.

Avira specifically mentions on their Web site that Antivir will prevent infection and remove the virus if you have it, although I don't have an infected machine to confirm this against. AVG states that AVG Free will protect you against the virus, but doesn't say if it can remove it once you've been infected.

If none of these programs work for you, Avira also offers Conficker-specific instructions on how to use their rescue CD to fix your computer. This requires a secondary computer so you can create the CD, if you haven't done so prior to infection.

It is strongly recommended that if you're infected and you have the luxury of a second machine, disconnect the infected computer from the Internet and install any repair programs or other fixes via CD or USB key.

One of the most common infection vectors for Conflicker and its ilk is the Windows AutoRun feature. Eset claims that one out of every 15 threats they detected in 2008 used autorun.inf. Unfortunately, disabling it is not as simple as you may think, because even when disabled through conventional means it still parses most of the autorun.inf file, instead of not reading it at all.

To disable it completely, users will need to copy the text below into Notepad. It should be one line from the left bracket to the final quotation mark.

REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\IniFileMapping\Autorun.inf]@="@SYS:DoesNotExist"

Save it as something memorable, such as StopAutoRun.REG. Double-click on the saved file, and you close the AutoRun loophole. You also won't be able to automatically play DVDs just by putting them in the disc drive, but that seems a reasonable price to pay for slamming the door on this gaping security flaw.

Once you've gotten your computer clean and killed off the AutoRun feature, there's still more to do. These changes, however, are behavioral. Stay on top of Windows security updates from Microsoft, do not under any circumstances click on any Web-based ''free virus scan'' offers, and make sure you're not only running a reputable security suite, but that it's configured for daily virus definition file updates.

Seth peers into the deep, dark corners of software so that you don't have to. He has yet to suffer a single nightmare about OS/2. You can follow him on Twitter.
Topics:

Security and spyware,

Windows Software

Tags:

Conficker,

protection,

removal,

worm,

virus,

infection

Share:
Digg
Del.icio.us
Reddit
Recent posts from The Download Blog
Multiservice chat and 3D racing: iPhone apps of the week
Seize Seesmic Twitter app on BlackBerry, Android
What's new in Google Earth 5.1? Not much
DJ from your iPhone with TouchDJ
Star Wars Trench Run for iPhone: The Force is strong with this one
Browser security features compared
Touch up your iPhone photos--with cats!
After long wait, Trillian finally comes to iPhone
Add a Comment (Log in or register) Showing 1 of 3 pages (74 Comments)
by ComLink March 31, 2009 6:38 PM PDT
Any advise for Macs? :)
Reply to this comment
by msjonker March 31, 2009 6:51 PM PDT
Enjoy your security through obscurity.
by Vegaman_Dan March 31, 2009 7:11 PM PDT
Yes indeed. If you have Windows loaded on your Macintosh, then you need to take steps to properly secure your system accordingly.

If you are using OS X and asking about this worm, then you haven't read the article closely enough and may require additional time.

if you are just being a troll, then expect to be mocked and ridiculed appropriately.
by screwluk March 31, 2009 7:12 PM PDT
not much reason to protect macs, that way you can stop wasting money on dam laptops that are over priced.
by Perry_Clease March 31, 2009 7:37 PM PDT
"Any advise for Macs?"

Leave that subject alone, they are adults and if they want to use Windows then that is their business. Furthermore you just invite BS comments from the grammar impaired about the security through obscurity and overpriced product myths.

If you think us Mac users are immune from conficker then you are wrong. Somewhere is a Windows computer that has some of your personal info. It doesn't matter if they steal it from your Mac or someone else's PC, you could be screwed.

We are all in this together and the enemy (conficker) of my PC using friends is my enemy.
by CODKill March 31, 2009 8:57 PM PDT
I'm actually worried about macs though. I have both a Windows and Apple machine and if Apple's share of the market keeps rising like it has then I will soon have to start dealing with this stuff for both of my machines.
by calibeep March 31, 2009 9:06 PM PDT
I was hoping for a serious reply to this question, since I run Windows Explorer when I have no choice but to in order to access certain websites, and I do this on Parallels. I have a terrible migraine and spent the day making sure a friend's computer was protected (running Windows Vista; didn't have service pack 1, the latest MS security patches, OR a current antivirus program.) I was hoping to get a quick answer in between puking since the light from the screen makes my headache worse. But, whatever. It turns out some are recommending that those in my situation take some steps: http://www.macfixit.com/article.php?story=2009033108432353 . If this has already been answered here and my headache has made me too blind to see it, give me a pass on this one please :)
by b_baggins April 1, 2009 7:20 AM PDT
@msjonker,

You'll have to explain to me some day how the security is somehow less pure because it's from "obscurity."
by firefoxluva95 April 1, 2009 2:04 PM PDT
I'll explain security through obscurity. Safari (on a Mac) fell in seconds during the Pwn2Own competition. Even IE8 on Windows 7 beat Safari. So the security isn't exactly there...it's just the fact that majority of businesses and end users still use Windows that keeps Mac safe. I mean if Mac had a big enough market share, I'm sure people would try to exploit vulnerabilities on Macs such as the "10 seconds it took for Safari to fall bug". Here is one of the sources that you can get more information about the results of Pwn2Own:

http://gizmodo.com/5175246/safari-cracked-in-seconds-at-pwn2own-hacking-competition
by jake3373 April 1, 2009 2:59 PM PDT
Every single CNET article about viruses always generates a Windows-Mac-Linux war in the comments.
by george_liquor April 2, 2009 9:21 AM PDT
Well, "Any advise for Macs?" pretty much sets the tone for the remainder of the discussion.
by suckb4fxxk March 31, 2009 6:53 PM PDT
Who cares if it is Conficker or (whatever)! Just use Linux and get rid of all these viruses, exactly what I do.
[CNET editor's note: Objectionable material removed.]
Reply to this comment
by screwluk March 31, 2009 7:13 PM PDT
can you run windows games for linux? the ones that are made for vista?
plus all my versions of windows i goted for free
by Vegaman_Dan March 31, 2009 7:14 PM PDT
Excellent advice for those people who want to run Linux. However this story was about Windows. Did you have any advice about the actual subject, or are you just making Linux users look like absolute morons and drooling idiots by your comments?

Right now the second observation is the one you ae presenting.
by 3rdalbum March 31, 2009 7:59 PM PDT
@screwluk: It's "got", not "goted". Some Windows games can be run on Linux with Wine. No Linux games can be run on Windows though :-) What I did was I set up a dual-boot. When you install Linux alongside Windows, whenever you power on the machine it will ask you if you want to run Windows or if you want to run Linux. In Windows, I disabled the network card support so I could play games but not get any infections coming through. Of course, most of the time I used Linux.
by monkeyfun14 March 31, 2009 11:45 PM PDT
@3rdalbum

Yeah of course they can but between bad graphics drivers and emulation factors they run like ****.
by dragonbite April 1, 2009 5:57 AM PDT
Actually, Linux DOES help because if you get a LiveCD, then if you find yourself infected you can use the Linux LiveCD and download a removal tool from your website/security company of choice when they put it out. Drop it into your Windows system, disconnect from the internet and reboot into Windows.

Then you don't have to worry about trying to get updates or patches from the internet as it seems it messes you up from doing that.

So yes, using Linux is a VIABLE alternative to help Window users.
by serix95 April 1, 2009 4:58 PM PDT
Ill PM you guys if i get infected and if i managed to get the IP address.

I was thinking if i find the source i can counter the virus by sending a Computer Crasher to the source.
by bolson567 March 31, 2009 7:09 PM PDT
haha, were all ****** man. Y2K mannnnn, arghhhhhhhhhhh, its the apocalypesssssss arghhhhh.

lol jkjkjkjk
Reply to this comment
by iclue April 1, 2009 1:36 AM PDT
Lol Man, that was funny!! =P
by guest86 March 31, 2009 7:30 PM PDT
Really scary virus! How all anti-virus stop this worm?
Reply to this comment
by ppgreat March 31, 2009 7:38 PM PDT
Thanks, Lauren, for the insight.
Reply to this comment
by AndrewRich March 31, 2009 7:38 PM PDT
The Registry script shown in the article is incomplete:

REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\IniFileM
Reply to this comment
by jake3373 April 1, 2009 3:02 PM PDT
it said:

REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\IniFileMapping\Autorun.inf]@="@SYS:DoesNotExist"

but it was on 2 lines...
by littleM March 31, 2009 9:04 PM PDT
Another way to do it (particularly for WIndows 2000 but works on XP too) --

1) in Administrator mode start -- regedit32.exe
2) open the Hive -- HKEY_LOCAL_MACHINE
3) find the Key -- SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
4) add the Value Name -- NoDriveTypeAutoRun
5) use the Type -- REG_DWORD
6) add the Value -- 0x03FFFFFFF

Not for your casual user.
Reply to this comment
by raf60 April 9, 2009 1:08 AM PDT
What doo you do on Vista?
I tried what was offered on CNET (copying REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\IniFileMapping\Autorun.inf]@="@SYS:DoesNotExist" to NotePad) but got nothing.
Any further info?
by ZetaZeta_ March 31, 2009 9:15 PM PDT
Conficker is so well developed, and then they found that "miracle cure" of sorts in the form of the flaw they found last weekend and just finished coding. It's all too strange... I don't often call conspiracy, but all this Conficker hyper is a huge cash feed to Symantec, et al, and will also deal with Microsoft's primary competitor to Windows: Pirated copies of Windows (which often don't have a usable Windows Update).

It's illegal and strange and far fetched, probably, but if it were true, it would not surprise me in the least.
Reply to this comment
by dragonbite April 1, 2009 5:59 AM PDT
Actually, I would hope that Microsoft DID do something like this as a way to weed out Windows piracy. May not be nice, but piracy is a real threat.
by srosenblatt April 1, 2009 7:57 AM PDT
Well, not precisely. If you're talking about the flaw they found in the virus' code, http://news.cnet.com/8301-1009_3-10207375-83.html, it's not a fix for the virus at all. However, it does allow the white hats to see which computers are infected across the botnet.

I think it's fascinating that this virus was developed AFTER microsoft patched the hole, because that would indicate that those getting infected are not keeping their computers up-to-date. It's sort of similar to still running IE 6.
by pithenumber April 1, 2009 12:48 PM PDT
You can use a pirate version of Windows and have security updates I think
not sure though
by brandonh33 April 1, 2009 2:37 PM PDT
The white hats? The KKK? The KKK has recruited nerds? I knew the KKK was behind this I just had a feeling about it! You guys are spelling it wrong, its actually KonfiKKer. My advise to you is to not watch any black porn and you'll be fine. Freaking racist KKK pranksters! Is this what the world is coming to?
by Michichael March 31, 2009 10:00 PM PDT
Or step one - block Chinese and Russian IP addresses. Nothing good has ever come from those country's IP's.
Reply to this comment
by rlinnabary April 8, 2009 5:38 AM PDT
Same applies to ANY e-mail that you receive that contains the word "Nigiria" in the e-mail.........
by iclue April 1, 2009 1:38 AM PDT
This virus is a scary thing....but I know I don't have it because I was able to visit those few websites, that are supposedly blocked if you have it.
Reply to this comment
by deenewthis April 1, 2009 1:43 AM PDT
Linux hmm you know that they can still get virus just like apple can. No machine is free from getting virus.
Reply to this comment
by 00onefour April 1, 2009 4:35 AM PDT
I don't really find viruses a big deal and I run a pc. I do have a good antivirus and firewall but the fact of the matter is if you do get it...just follow the directions...and if that doesn't work I hope you have copies of your important stuff 'cuz your probably going to reboot your computer with a version of windows which will basically beat this virus down...spit in it's face...and poop in it's face. Not a big deal...oh and if you do have copies on a external drive...after booting windows, get a really good anti virus noted above and check that drive before using it. Problem solved
Reply to this comment
by kenny1916 April 1, 2009 5:36 AM PDT
good solid advice i have downloaded the the McAfee stinger i think i had the cornflicker cos i never got any updates from windows for about 2 weeks and no updates to my norton and my avg yes i had both running and no they dont clash with each other soanyway i done a full reset but it must have been hideing in my backups so i kleeared everthing from the 12th and reset is i said i also noticed that my wifi would just cut out in the middle of somthing so i ended up doing 3 resets and not installing any old software i would get a copy from cnet and activate it with my key and it seems ak for now touch wood well thats all fokes so watch ureself out there astalavista baby yes i did say vista ok good bye and good luck ......
Reply to this comment
by brandonh33 April 1, 2009 2:40 PM PDT
Haha cornflicker...
by dragonbite April 1, 2009 6:00 AM PDT
Overall, I'm not scared at this point because I run Linux.

Security from obscurity? It also means developers have time to make sure these types of exploits do NOT happen in the first place.
Reply to this comment
by rz007 April 1, 2009 6:35 AM PDT
if we do not have the cornflicker virus should we still down load the removal tools and run them any way???????????
Reply to this comment
by srosenblatt April 1, 2009 7:51 AM PDT
No.
by rz007 April 1, 2009 1:37 PM PDT
Ok thank you......
by rz007 April 1, 2009 1:39 PM PDT
thank you
by April 1, 2009 6:46 AM PDT
I dont understand what they are trying to say by this

"If you're running an up-to-date virus scanner, it's unlikely you'll get infected unless you've configured your computer to not receive automatic Windows updates. Checking your list of installed updates for security update MS08-067 (KB 958644) is not recommended because the worm, alternatively known as Kido, Downup, or Downadup, fakes the patch job. "

Can anyone plz help me to understan if I need this patch KB 958644 or not?I have checked my update list and it has this update.Do I need to keep it or remove it.
Reply to this comment
by srosenblatt April 1, 2009 7:50 AM PDT
Try going to a security suite Web site, such as http://www.eset.com, http://www.symantec.com, or http://www.avira.com. If you can load those Web sites normally, you don't have Conficker because it blocks them.
by MyMobiSafe April 1, 2009 10:39 AM PDT
Conficker Not Targeting Smartphones - Windows Mobile Devices

Hello Team,
Today has been a busy day for the digital security team here at MyMobiSafe.com. We have had a lot of interest from people concerned with the Conficker virus relevant to their Windows Mobile Devices. I have done what I can to help curb these fears via my blog: http://community.zdnet.co.uk/blog/0,1000000567,10012477o-2000440756b,00.htm. Anything that you can do to help inform mobile users that this computer-based in nature and a mobile variant has not emerged is appreciated.

We know there are a lot of people scared by this virus, so we want to do what we can to at least mitigate these concerns within the mobile environment.

Thanks,
Eric Everson ? Founder
MyMobiSafe.com
EricEverson@Hotmail.com
Reply to this comment
by lexmas April 1, 2009 10:58 AM PDT
So i can load Symantec, Eset, Avira, or AVG, BUT NOT microsft.com
I can even go to the microsft update page but cant navigate to microsft.com and cant seems to go to their patch sites.
Ran Malwarebyte and it clened up some things but i still can go to micorsoft.
I also can cess system admin tools
so Am i infected? Im running stinger right now, just in case...
Reply to this comment
by jake3373 April 1, 2009 3:15 PM PDT
you may have a virus, but probably not conficker - also make sure you spelled it right - above you kept saying microsft.com
by mssoot April 1, 2009 11:32 AM PDT
thanks for the advertisement....................NOT
Reply to this comment
by thepinksock April 1, 2009 12:04 PM PDT
I'm scared because I'm dumb and I can't help myself. What should I do? Will Obama consult the creator of the internet, Al Gore, and come up with a plan to rid the world of viruses?
Reply to this comment
by brandonh33 April 1, 2009 2:51 PM PDT
No but he will take control of the internet, fire all the major CEO's for no particular reason, and say everything is better. Sounds like a rock solid plan to me! Obamanation!
by mgheff April 1, 2009 8:19 PM PDT
obama and gore can't do anything
Showing 1 of 3 pages (74 Comments)

Search Download Blog posts

About The Download Blog

Download.com editors cover the world of downloadable software and beyond.

Add this feed to your online news reader

The Download Blog topics

download
Site map
Help center
Our software policies
Newsletters
Submit software
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET